Roles & Permissions
Control who can view, edit, publish, and manage your ShapeBox projects with granular role-based access control.
Roles & Permissions
ShapeBox uses role-based access control (RBAC) to manage what each person can do across your workspace and individual projects.
Workspace roles
Workspace roles apply to every project in your workspace:
| Role | Description |
|---|---|
| Owner | Full control. Can manage billing, delete the workspace, and assign any role. Only one Owner per workspace. |
| Admin | Can manage members, create and delete projects, and change workspace settings. Cannot change billing. |
| Member | Can create projects and edit projects they are explicitly given access to. |
| Guest | Can only access projects they are directly invited to. Cannot create projects. |
Change a member's workspace role from Dashboard → Team → [Member name] → Edit Role.
Project-level permissions
On top of workspace roles, each project has its own access list that overrides workspace-level access:
| Permission | Can do |
|---|---|
| Editor | View, edit, and save the project. Cannot publish or delete. |
| Publisher | Everything an Editor can do, plus publish and unpublish the scene. |
| Owner | Full control including deleting the project and managing its access list. |
| Viewer | View the project in read-only mode. Cannot make any changes. |
Manage a project's access list: open the project → Share → Manage Access.
Default access for new projects
By default, new projects are private — only their creator has access. To change the default:
Dashboard → Settings → Default Project Visibility
Options:
- Private (default) — only explicitly invited members.
- Workspace — all Members and above in the workspace can view.
- Workspace (edit) — all Members and above can view and edit.
Inheriting access
| User type | Default project access |
|---|---|
| Workspace Admins | Automatically have Owner access to all projects |
| Workspace Members | No access to projects unless explicitly invited |
| Workspace Guests | No access to any project unless explicitly invited |
Publishing permissions
Only users with Publisher or Owner project access can:
- Publish or unpublish the scene.
- Change visibility settings (Public, Unlisted, Private).
- Set or remove a custom domain.
- Enable or disable password protection.
API key access
API keys (generated under Account → API Keys) inherit the workspace role of the user who created them. A key created by a Member cannot perform Admin-only actions.
Enterprise: Enterprise plans support SAML SSO and can sync roles from your identity provider (IdP). Contact your account manager for setup.
Removing a member
- Dashboard → Team → [Member name] → Remove from workspace.
- Their access to all projects is immediately revoked.
- Content they created (objects, scripts, uploaded assets) remains in the project.
- Their account is not deleted — only their workspace membership.
Transferring ownership
To transfer the workspace Owner role to another Admin:
- Dashboard → Settings → Transfer Ownership.
- Select the new owner (must already be an Admin).
- Confirm the transfer.
The previous owner becomes an Admin. This action cannot be undone by the new owner — only the new owner can reverse it.